A trend seen on the web today is to create a platform where externally developed applications can run inside some kind of main application. This is often done by providing an API to access data and business logic of your service and a sandbox environment in which third-party applications can run. By providing this, it is made possible for external developers to come up with new ideas based on your service. Some good examples on this are Spotify Apps, Apps on Facebook and SalesForce.com.

Ipendo Systems AB is a company that develops a web platform for intellectual properties. Currently most things on this platform are developed by developers at Ipendo Systems AB. Some interest has though risen to enable external developers to create applications that will in some way run inside the main platform.

In this thesis an analysis of already existing solutions has been done. These solutions were Spotify Apps and Apps on Facebook. The two have different approaches on how to enable third-party applications to run inside their own service. Facebook’s solution builds mainly on iframe embedded web pages where data access is provided through a web API. Spotify on the other hand hosts the third-party applications themselves but the applications may only consist of HTML5, CSS3 and JavaScript.

In addition to the analysis a prototype was developed. The purpose of the prototype was to show possible ways to enable third-party applications to run inside your own service. Two solutions showing this were developed. The first one was based on Facebook’s approach with iframing of external web pages. The second was a slightly modified version of Spotify’s solution with only client-side code hosted by the main application. To safely embed the client side code in the main application a sandboxing tool for JavaScript called Caja was used.

Of the two versions implemented in the prototype was the Iframe solution considered more ready to be utilized in a production environment than Caja. Caja could be seen as an interesting technique for the future but might not be ready to use today. The reason behind this conclusion was that Caja decreased the performance of the written JavaScript as well as adding complexity while developing the third-party applications.

Most of the people in the industrial world are using several web applications every day. Many of those web applications contain vulnerabilities that can allow attackers to steal sensitive data from the web application's users. One way to detect these vulnerabilities is to have a penetration tester examine the web application. A common way to train penetration testers to find vulnerabilities is to challenge them with realistic web applications that contain vulnerabilities. The penetration tester's assignment is to try to locate and exploit the vulnerabilities in the web application. Training on the same web application twice will not provide any new challenges to the penetration tester, because the penetration tester already knows how to exploit all the vulnerabilities in the web application. Therefore, a vast number of web applications and variants of web applications are needed to train on.

This thesis describes a tool designed and developed to automatically generate vulnerable web applications. First a web application is prepared, so that the tool can generate a vulnerable version of the web application. The tool injects Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) vulnerabilities in prepared web applications. Different variations of the same vulnerability can also be injected, so that different methods are needed to exploit the vulnerability depending on the variation. A purpose of the tool is that it should generate web applications which shall be used to train penetration testers, and some of the vulnerabilities the tool can inject, cannot be detected by current free web application vulnerability scanners, and would thus need to be detected by a penetration tester.

To inject the vulnerabilities, the tool uses abstract syntax trees and taint analysis to detect where vulnerabilities can be injected in the prepared web applications.

Tests confirm that web application vulnerability scanners cannot find all the vulnerabilities on the web applications which have been generated by the tool.

5G will provide broadband access everywhere, entertain higher user mobility, and enable connectivity of massive number of devices (e.g. Internet of Things (IoT)) in an ultrareliable and affordable way. The main technological enablers such as cloud computing, Software Defined Networking (SDN) and Network Function Virtualization (NFV) are maturing towards their use in 5G. However, there are pressing security challenges in these technologies besides the growing concerns for user privacy. In this paper, we provide an overview of the security challenges in these technologies and the issues of privacy in 5G. Furthermore, we present security solutions to these challenges and future directions for secure 5G systems.

Host Identity Protocol (HIP), a novel internetworking technology proposes separation of the identity-location roles of the Internet Protocol (IP). HIP has been successful from the technological perspectives for network security and mobility, however, it has very limited deployment. In this paper we assess HIP to find the reasons behind its limited deployment and highlight the challenges faced by HIP for its commercial use. We propose technological development and outline deployment strategies for the wide use of HIP. Furthermore, this paper investigates the use of HIP in Software Defined Networks (SDN) to evaluate its performance in new disruptive networking technologies. In a nutshell, this paper presents revealing challenges for the deployment of innovative networking protocols and a way ahead for successful and large scale deployment.

In this position paper we briefly introduce SmartEnv ontology which relies on SEmantic Sensor Network (SSN) ontology and is used to represent different aspects of smart and sensorized environments. We will also talk about E-carehome project aiming at providing an IoT-based health-care system for elderly people at their homes. Furthermore, we refer to the role of SmartEnv in Ecarehome and how it needs to be further extended to achieve semantic interoperability as one of the challenges in development of autonomous health care systems at home.

Sectra has a customer database with approximately 1600 customers across the world. In this system there exists not only medical information but alsoinformation about the environment which the system runs in, usage pattern and much more.

This report is about storing data received from log les into a suitable database. Sectra wants to be able to analyze this information so that they can make strategic decisions and get a better understanding of their customers' needs. The tested databases are MongoDB, Cassandra, and MySQL. The results shows that MySQL is not suitable for storing large amount of data with the current conguration. On the other hand, both MongoDB and Cassandra performed well with the growing amount of data.

Security has become a necessary part of nearly every software development project, as the overall risk from malicious users is constantly increasing, due to increased consequences of failure, security threats and exposure to threats. There are few projects today where software security can be ignored. Despite this, security is still rarely taken into account throughout the entire software lifecycle; security is often an afterthought, bolted on late in development, with little thought to what threats and exposures exist. Little thought is given to maintaining security in the face of evolving threats and exposures. Software developers are usually not security experts. However, there are methods and tools available today that can help developers build more secure software. Security modeling, modeling of e.g., threats and vulnerabilities, is one such method that, when integrated in the software development process, can help developers prevent security problems in software. We discuss these issues, and present how modeling tools, vulnerability repositories and development tools can be connected to provide support for secure software development

Incident post-mortem analysis after recovery from incidents is recommended by most incident response experts. An analysis of why and how an incident happened is crucial for determining appropriate countermeasures to prevent the recurrence of the incident. Currently, there is a lack of structured methods for such an analysis, which would identify the causes of a security incident. In this paper, we present a structured method to perform the post-mortem analysis and to model the causes of an incident visually in a graph structure. This method is an extension of our earlier work on modeling software vulnerabilities. The goal of modeling incidents is to develop an understanding of what could have caused the security incident and how its recurrence can be prevented in the future. The method presented in this paper is intended to be used during the post-mortem analysis of incidents by incident response teams.

In this paper we present a security plug-in for the OpenUP/Basic development process. Our security plug-in is based on a structured unified process for secure software development, named S3P (sustainable software security process). This process provides the formalism required to identify the causes of vulnerabilities and the mitigation techniques that prevent these vulnerabilities. We also present the results of an expert evaluation of the security plug-in. The lessons learned from development of the plug-in and the results of the evaluation will be used when adapting S3P to other software development processes.

Security of software systems has become one of the biggest concerns in our everyday life, since software systems are increasingly used by individuals, companies and governments. One way to help software system consumers gain assurance about the security measures of software products is to evaluate and certify these products with standard evaluation processes. The Common Criteria (ISO/IEC 15408) evaluation scheme is a standard that is widely used by software vendors. This process does not include information about already known vulnerabilities, their attack data and lessons learned from them. This has resulted in criticisms concerning the accuracy of this evaluation scheme since it might not address the areas in which actual vulnerabilities might occur.

In this paper, we present a methodology that introduces information about threats from vulnerabilities to Common Criteria documents. Our methodology improves the accuracy of the Common Criteria by providing information about known vulnerabilities in Common Criteria’s security target. Our methodology also provides documentation about how to fulfill certain security requirements, which can reduce the time for evaluation of the products.

here is a continuous struggle for control of resources at every organization that is connected to the Internet. The local organization wishes to use its resources to achieve strategic goals. Some external entities seek direct control of these resources, for purposes such as spamming or launching denial-of-service attacks. Other external entities seek indirect control of assets (e. g., users, finances), but provide services in exchange for them. less thanbrgreater than less thanbrgreater thanUsing a year-long trace from an edge network, we examine what various external organizations know about one organization. We compare the types of information exposed by or to external organizations using either active (reconnaissance) or passive (surveillance) techniques. We also explore the direct and indirect control external entities have on local IT resources.

The World Wide Web and the services it provides are continually evolving. Even for a single time instant, it is a complex task to methodologically determine the infrastructure over which these services are provided and the corresponding effect on user perceived performance. For such tasks, researchers typically rely on active measurements or large numbers of volunteer users. In this paper, we consider an alternative approach, which we refer to as passive crowd-based monitoring. More specifically, we use passively collected proxy logs from a global enterprise to observe differences in the quality of service (QoS) experienced by users on different continents. We also show how this technique can measure properties of the underlying infrastructures of different Web content providers. While some of these properties have been observed using active measurements, we are the first to show that many of these properties (such as location of servers) can be obtained using passive measurements of actual user activity. Passive crowd-based monitoring has the advantages that it does not add any overhead on Web infrastructure, it does not require any specific software on the clients, but still captures the performance and infrastructure observed by actual Web usage.

Success in the life sciences depends on access to information in knowlegde bases and literature. Finding and extracting the relevant information depends on a user’s domain knowledge and the knowledge of the search technology. In this paper we present a system that helps users formulate queries and search the scientific literature. The system coordinates ontologies, knowledge representation, text mining and NLP techniques to generate relevant queries in response to keyword input from the user. Queries are presented in natural language, translated to formal query syntax and issued to a knowledge base of scientific literature, documents or aligned document segments. We describe the components of the system and exemplify using real-world examples.

Gated Bayesian networks (GBNs) are an extension of Bayesian networks that aim to model systems that have distinct phases. In this paper, we aim to use GBNs to output buy and sell decisions for use in algorithmic trading systems. These systems may have several parameters that require tuning, and assessing the performance of these systems as a function of their parameters cannot be expressed in closed form, and thus requires simulation. Bayesian optimisation has grown in popularity as a means of global optimisation of parameters where the objective function may be costly or a black box. We show how algorithmic trading using GBNs, supported by Bayesian optimisation, can lower risk towards invested capital, while at the same time generating similar or better rewards, compared to the benchmark investment strategy buy-and-hold.

Bayesian networks have grown to become a dominant type of model within the domain of probabilistic graphical models. Not only do they empower users with a graphical means for describing the relationships among random variables, but they also allow for (potentially) fewer parameters to estimate, and enable more efficient inference. The random variables and the relationships among them decide the structure of the directed acyclic graph that represents the Bayesian network. It is the stasis over time of these two components that we question in this thesis.

By introducing a new type of probabilistic graphical model, which we call gated Bayesian networks, we allow for the variables that we include in our model, and the relationships among them, to change overtime. We introduce algorithms that can learn gated Bayesian networks that use different variables at different times, required due to the process which we are modelling going through distinct phases. We evaluate the efficacy of these algorithms within the domain of algorithmic trading, showing how the learnt gated Bayesian networks can improve upon a passive approach to trading. We also introduce algorithms that detect changes in the relationships among the random variables, allowing us to create a model that consists of several Bayesian networks, thereby revealing changes and the structure by which these changes occur. The resulting models can be used to detect the currently most appropriate Bayesian network, and we show their use in real-world examples from both the domain of sports analytics and finance.

We propose a regime aware learning algorithm to learn a sequence of Bayesian networks (BNs) that model a system that undergoes regime changes. The last BN in the sequence represents the system’s current regime, and should be used for BN inference. To explore the feasibility of the algorithm, we create baseline tests against learning a singe BN, and show that our proposed algorithm outperforms the single BN approach. We also apply the learning algorithm on real world data from the financial domain, where it is evident that the algorithm is able to produce BNs that have adapted to the regime changes during the most recent global financial crisis of 2007-08.

In this paper we investigate how we can use gated Bayesian networks, a type of probabilistic graphical model, to represent regimes in baseball players’ career data. We find that baseball players do indeed go through different regimes throughout their career, where each regime can be associated with a certain level of performance. We show that some of the transitions between regimes happen in conjunction with major events in the players’ career, such as being traded or injured, but that some transitions cannot be explained by such events. The resulting model is a tool for managers and coaches that can be used to identify where transitions have occurred, as well as an online monitoring tool to detect which regime the player currently is in.

BACKGROUND: In recent years, many electronic health behavior interventions have been developed in order to reach individuals with unhealthy behaviors, such as risky drinking. This is especially relevant for university students, many of whom are risky drinkers.

OBJECTIVE: This study explored the acceptability and feasibility in a nontreatment-seeking group of university students (including both risk and nonrisk drinkers), of a fully automated, push-based, multiple-session, alcohol intervention, comparing two modes of delivery by randomizing participants to receive the intervention either by SMS text messaging (short message service, SMS) or by email.

METHODS: A total of 5499 students at Luleå University in northern Sweden were invited to participate in a single-session alcohol assessment and feedback intervention; 28.04% (1542/5499) students completed this part of the study. In total, 29.44% (454/1542) of those participating in the single-session intervention accepted to participate further in the extended multiple-session intervention lasting for 4 weeks. The students were randomized to receive the intervention messages via SMS or email. A follow-up questionnaire was sent immediately after the intervention and 52.9% (240/454) responded.

RESULTS: No difference was seen regarding satisfaction with the length and frequency of the intervention, regardless of the mode of delivery. Approximately 15% in both the SMS (19/136) and email groups (15/104) would have preferred the other mode of delivery. On the other hand, more students in the SMS group (46/229, 20.1%) stopped participating in the intervention during the 4-week period compared with the email group (10/193, 5.2%). Most students in both groups expressed satisfaction with the content of the messages and would recommend the intervention to a fellow student in need of reducing drinking. A striking difference was seen regarding when a message was read; 88.2% (120/136) of the SMS group read the messages within 1 hour in contrast to 45.2% (47/104) in the email group. In addition, 83.1% (113/136) in the SMS group stated that they read all or almost all the messages, compared with only 63.5% (66/104) in the email group.

CONCLUSIONS: Based on the feedback from the students, an extended, multiple-session, push-based intervention seems to be a feasible option for students interested in additional support after a single-session alcohol intervention. SMS as a mode of delivery seems to have some advantages over email regarding when a message is read and the proportion of messages read. However, more students in the SMS group stopped the intervention than in the email group. Based on these promising findings, further studies comparing the effectiveness of single-session interventions with extended multiple-session interventions delivered separately or in combination are warranted.

This paper introduces a new probabilistic graphical model called gated Bayesian network (GBN). This model evolved from the need to represent real world processes that include several distinct phases. In essence a GBN is a model that combines several Bayesian networks (BN) in such a manner that they may be active or inactive during queries to the model. We use objects called gates to combine BNs, and to activate and deactivate them when predefined logical statements are satisfied. These statements are based on combinations of posterior probabilities of the variables in the BNs. Although GBN is a new formalism there are features of GBNs that are similar to other formalisms and research, including influence diagrams, context-specific independence and structural adaptation.

Gated Bayesian networks (GBNs) are a recently introduced extension of Bayesian networks that aims to model dynamical systems consisting of several distinct phases. In this paper, we present an algorithm for semi-automatic learning of GBNs. We use the algorithm to learn GBNs that output buy and sell decisions for use in algorithmic trading systems. We show how using the learnt GBNs can substantially lower risks towards invested capital, while at the same time generating similar or better rewards, compared to the benchmark investment strategy buy-and-hold.

Gated Bayesian networks (GBNs) are a recently introduced extension of Bayesian networks that aims to model dynamical systems consisting of several distinct phases. In this paper, we present an algo- rithm for semi-automatic learning of GBNs. We use the algorithm to learn GBNs that output buy and sell decisions for use in algorithmic trading systems. We show how using the learnt GBNs can substantially lower risks towards invested capital, while at the same time generating similar or better rewards, compared to the benchmark investment strat- egy buy-and-hold.

Bayesian networks (BNs) are advantageous when representing single independence models, however they do not allow us to model changes among the relationships of the random variables over time. Due to such regime changes, it may be necessary to use different BNs at different times in order to have an appropriate model over the random variables. In this paper we propose two extensions to the traditional hidden Markov model, allowing us to represent both the different regimes using different BNs, and potential driving forces behind the regime changes, by modelling potential dependence between state transitions and some observable variables. We show how expectation maximisation can be used to learn the parameters of the proposed model, and run both synthetic and real-world experiments to show the model’s potential.

Background: Previous research on the effectiveness of online alcohol interventions for college students has shown mixed results. Small benefits have been found in some studies and because online interventions are inexpensive and possible to implement on a large scale, there is a need for further study. Objective: This study evaluated the effectiveness of national provision of a brief online alcohol intervention for students in Sweden. Methods: Risky drinkers at 9 colleges and universities in Sweden were invited by mail and identified using a single screening question. These students (N=1605) gave consent and were randomized into a 2-arm parallel group randomized controlled trial consisting of immediate or delayed access to a fully automated online assessment and intervention with personalized feedback. Results: After 2 months, there was no strong evidence of effectiveness with no statistically significant differences in the planned analyses, although there were some indication of possible benefit in sensitivity analyses suggesting an intervention effect of a 10% reduction (95% CI -30% to 10%) in total weekly alcohol consumption. Also, differences in effect sizes between universities were seen with participants from a major university (n=365) reducing their weekly alcohol consumption by 14% (95% CI -23% to -4%). However, lower recruitment than planned and differential attrition in the intervention and control group (49% vs 68%) complicated interpretation of the outcome data. Conclusions: Any effects of current national provision are likely to be small and further research and development work is

Radiologists' workload has been steadily increasing for decades. As digital technology matures it improves the workflow for radiology departments and decreases the time necessary to examine patients. Computer systems are widely used in health care and are for example used to view radiology images. To simplify this, display protocols based on examination data are used to automatically create a layout and hang images for the user. To cover a wide variety of examinations hundreds of protocols must be created, which is a time-consuming task and the system can still fail to hang series if strict requirements on the protocols are not met. To remove the need for this manual step we propose to use machine learning based on past manually corrected presentations. The classifiers are trained on the metadata in the examination and how the radiologist preferred to hang the series. The chosen approach was to create classifiers for different layout rules and then use these predictions in an algorithm for assigning series types to individual image slots according to categories based on metadata, similar to how display protocol works. The resulting presentations shows that the system is able to learn, but must increase its prediction accuracy if it is to be used commercially. Analyses of the different parts show that increased accuracy in early steps should improve overall success.

Today, smartphones are in widespread use by consumers, commercial companies and government authorities. Unfortunately, there are many examples of applications carrying out malicious activities, such as stealing information or subscribing to premium-rate services. In this thesis work, a novel application whitelisting process (AWP) is proposed. It defines processes for application security audits and whitelisting i.e. methods on how to classify, evaluate and test a given application to make sure that it with a level of assurance does not have malicious intentions. In a risk analysis of users in high security environments, the results showed that confidentiality and availability is the top most important security aspects to protect in this environment. The applications in the whitelisting process should therefore be tested for known malware and adware as well as permissions that can be used to send private information to remote servers. Additionally, testing should also be carried out for information leakage through intents and content resolvers. Because whitelisting is locking down the freedom and usability that comes with a smartphone, three different leveled whitelists are proposed to satisfy users and organizations with different security needs. A prototype was developed to prove the overall usability of the design. The result of scanning 200 applications from Google Play showed that 12% of all applications can be placed in the highest leveled whitelist. The results also suggest that 17.5 % of all applications on Google Play are malware or potentially unwanted applications. The results points to that using this novel whitelisting process, about 30% of all applications can be automated into whitelists and will not need manual analysis.

Anonymity metrics have been proposed to evaluate anonymity preserving systems by estimating the amount of information displayed by these systems due to vulnerabilities. A general metric for anonymity that assess the latter systems according to the mass and quality of information learned by an attacker or a collaboration of attackers is proposed here.

The proposed metric is based on subjective logic, a generalization of evidence and probability theory. As a consequence, we proved based on defined scenarios that our metric provide a better interpretation of uncertainty in the measure and it is extended to combine various sources of information using subjective logic operators. Also, we demonstrate that two factors: trust between collaborating attackers and time can influence significantly the metric result when taking them into consideration.

Policies are pervasive in web applications. They play crucial roles in enhancing security, privacy and usability of distributed services. There has been extensive research in the area, including the Semantic Web community, but several aspects still exist that prevent policy frameworks from widespread adoption and real world application. This paper discusses important requirements and open research issues in this context, focusing on policies in general and their integration into trust management frameworks, as well as on approaches to increase system cooperation, usability and user-awareness of policy issues.

In this paper, we analyze privacy-enhancing protocolsfor Smart Grids that are based on anonymity networks. Theunderlying idea behind such protocols is attributing two distinctpartial identities for each consumer. One is used to send realtimeinformation about the power consumption, and the otherfor transmitting the billing information. Such protocols providesender-anonymity for the real-time information, while consolidateddata is sent for billing. In this work, the privacy propertiesof such protocols are analyzed, and their computational efficiencyis evaluated and compared using simulation to other solutionsbased on homomorphic encryption.

Video dissemination through sites such as YouTube can have widespread impacts on opinions, thoughts, and cultures. Not all videos will reach the same popularity and have the same impact. Popularity differences arise not only because of differences in video content, but also because of other "content-agnostic" factors. The latter factors are of considerable interest but it has been difficult to accurately study them. For example, videos uploaded by users with large social networks may tend to be more popular because they tend to have more interesting content, not because social network size has a substantial direct impact on popularity.

In this paper, we develop and apply a methodology that is able to accurately assess, both qualitatively and quantitatively, the impacts of various content-agnostic factors on video popularity. When controlling for video content, we observe a strong linear "rich-get-richer" behavior, with the total number of previous views as the most important factor except for very young videos. The second most important factor is found to be video age. We analyze a number of phenomena that may contribute to rich-get-richer, including the first-mover advantage, and search bias towards popular videos. For young videos we find that factors other than the total number of previous views, such as uploader characteristics and number of keywords, become relatively more important. Our findings also confirm that inaccurate conclusions can be reached when not controlling for content.

This paper develops a framework for studying the popularity dynamics of user-generated videos, presents a characterization of the popularity dynamics, and proposes a model that captures the key properties of these dynamics. We illustrate the biases that may be introduced in the analysis for some choices of the sampling technique used for collecting data; however, sampling from recently-uploaded videos provides a dataset that is seemingly unbiased. Using a dataset that tracks the views to a sample of recently-uploaded YouTube videos over the first eight months of their lifetime, we study the popularity dynamics. We find that the relative popularities of the videos within our dataset are highly non-stationary, owing primarily to large differences in the required time since upload until peak popularity is finally achieved, and secondly to popularity oscillation. We propose a model that can accurately capture the popularity dynamics of collections of recently-uploaded videos as they age, including key measures such as hot set churn statistics, and the evolution of the viewing rate and total views distributions over time.

This master thesis investigates if customer churn can be predicted at the Swedish CRM-system provider Lundalogik. Churn occurs when a customer leaves a company and is a relevant issue since it is cheaper to keep an existing customer than finding a new one. If churn can be predicted, the company can target their resources to those customers and hopefully keep them. Finding the customers likely to churn is done through mining Lundalogik's customer database to find patterns that results in churn. Customer attributes considered relevant for the analysis are collected and prepared for mining. In addition, new attributes are created from information in the database and added to the analysis. The data mining was performed with Microsoft SQL Server Data Tools in iterations, where the data was prepared differently in each iteration. The major conclusion from this thesis is that churn can be predicted at Lundalogik. The mining resulted in new insights regarding churn but also confirmed some of Lundalogik's existing theories regarding churn. There are many factors that needs to be taken into consideration when evaluating the results and which preparation gives the best results. To further improve the prediction there are some final recommendations, i.e. including invoice data, to Lundalogik of what can be done.

From originally being of little concern, security has become a crucial quality factor in modern software. The risk associated with software insecurity has increased dramatically with increased reliance on software and a growing number of threat agents. Nevertheless, developers still struggle with security. It is often an afterthought, bolted on late in development or even during deployment. Consequently the same kinds of vulnerabilities appear over and over again.

Building security in to software from its inception and constantly adapting processes and technology to changing threats and understanding of security can significantly contribute to establishing and sustaining a high level of security.

This thesis presents the sustainable software security process, the S3P, an approach to software process improvement for software security that focuses on preventing known vulnerabilities by addressing their underlying causes, and sustaining a high level of security by adapting the process to new vulnerabilities as they become known. The S3P is designed to overcome many of the known obstacles to software process improvement. In particular, it ensures that existing knowledge can be used to its full potential and that the process can be adapted to nearly any environment and used in conjunction with other other software security processes and security assurance models.

The S3P is a three-step process based on semi-formal modeling of vulnerabilities, ideally supported by collaborative tools. Such proof-of-concept tools were developed for all parts of the process as part of the SHIELDS project.

The first two steps of the S3P consist in determining the potential causes of known vulberabilities at all stages of software development, then identifying measures that would prevent each individual cause. These steps are performed using visual modeling languages with well-defined semantics and a modeling workflow. With tool support, modeling effort can be progressively reduced through collaboration and use of pre-existing models.

Next, the costs of all potential measures are estimated using any suitable method. This thesis uses pairwise comparisons in order to support qualitative judgements. The models and costs yield a boolan optimization problem that is solved using a search-based heuristic, to identify the best set of measures to prevent selected vulnerabilities.

Empirical evaluation of the various steps of the process has verified a number of key aspects: the modeling process is easy to learn and apply, and the method is perceived by developers as providing value and improving security. Early evaluation results were also used to refine certain aspects of the S3P.

The modeling languages that were introduced in the S3P have since been enhanced to support other applications. This thesis presents security goal models (SGMs), a language that subsumes several security-related modeling languages to unify modeling of threats, attacks, vulnerabilities, activities, and security goals. SGMs have formal semantics and are sufficiently expressive to support applications as diverse as automatic run-time testing, static analysis, and code inspection. Proofof-concept implementations of these applications were developed as part of the SHIELDS project.

Finally, the thesis discusses how individual components of the S3P can be used in situations where the full process is inappropriate.

Security is often an afterthought in software development, sometimes even bolted on during deployment or in maintenance through add-on security software and penetrate-and-patch maintenance. We think that security needs to be an integral part of software development and that preventing vulnerabilities by addressing their causes is as important as detecting and fixing them. In this paper we present a method for determining how to prevent vulnerabilities from being introduced during software development. Our method allows developers to select the set of activities that suits them best while being assured that those activities will prevent vulnerabilities. Our method is based on formal modeling of vulnerability causes and is independent of the software development process being used.

Tools for disk imaging (or more generally speaking, digital acquisition) are a foundation for forensic examination of digital evidence. Therefore it is crucial that such tools work as expected. The only way to determine whether this is the case or not is through systematic testing of each tool. In this paper we present such an evaluation of the disk imaging functions of EnCase 6.8® and LinEn 6.1, conducted on behalf of the Swedish National Laboratory of Forensic Science. Although both tools performed as expected under most circumstances, we identified cases where flaws that can lead to inaccurate and incomplete acquisition results in LinEn 6.1 were exposed. We have also identified limitations in the tool that were not evident from its documentation. In addition summarizing the test results, we present our testing methodology, which has novel elements that we think can benefit other evaluation projects.

When using certain tools to image drives that contain faulty sectors, the tool may fail to acquire a run of sectors even though only one of the sectors is really faulty. This phenomenon, which we have dubbed "contagious errors was reported by James Lyle and Mark Wozar in a recent paper presented at DFRWS 2007 [Lyle, J., Wozar, M. Issues with imaging drives containing faulty sectors. Digital Investigation 2007; 4S: S13-5.]. Their results agree with our own experience from testing disk imaging software as part of our work for the Swedish National Laboratory of Forensic Science. We have explored the issue further, in order to determine the cause of contagious errors and to find ways around the issue. In this paper we present our analysis of the cause of contagious errors as well as several ways practitioners can avoid the problem. In addition we present our insights into the problem of consistently faulty drives in forensic tool testing.

Security is often an afterthought when developing software, and is often bolted on late in development or even during deployment or maintenance, through activities such as penetration testing, add-on security software and penetrate-and-patch maintenance. We believe that security needs to be built in to the software from the beginning, and that security activities need to take place throughout the software lifecycle. Accomplishing this effectively and efficiently requires structured approach combining a detailed understanding on what causes vulnerabilities, and how to prevent them. In this paper we present a process for software security that is based on vulnerability cause graphs, a formalism we have developed for modeling the causes of software vulnerabilities. The purpose of the software security process is to evolve the software development process so that vulnerabilities are prevented. The process we present differs from most current approaches to software security in its high degree of adaptability and in its ability to evolve in step with changing threats and risks. This paper focuses on how to apply the process and the criteria that have influenced the process design

Security has become recognized as a critical aspect of software development, leading to the development of various security-enhancing techniques, many of which use some kind of custom modeling language. Models in different languages cannot readily be related to each other, which is an obstacle to using several techniques together. The sheer number of languages is, in itself, also an obstacle to adoption by developers. The authors have developed a modeling language that can be used in place of four existing modeling languages: attack trees, vulnerability cause graphs, security activity graphs, and security goal indicator trees. Models in the new language can be transformed to and from the earlier language, and a precise definition of model semantics enables an even wider range of applications, such as testing and static analysis. This chapter explores this new language.

Security is becoming recognized as an important aspect of software development, leading to the development of various security-enhancing techniques, many of which use some kind of custom modeling language. Models in different languages cannot readily be related to each other, which is an obstacle to using several techniques together. The sheer number of languages is, in itself, also an obstacle to adoption by developers.

We have developed a modeling language that can be used in place of four existing modeling languages: attack trees, vulnerability cause graphs, security activity graphs, and security goal indicator trees. Our language is more precise than earlier languages, which allows models to be used in automated applications such as testing and static analysis. Models in the new language can be transformed to and from earlier languages. We also present a data model that allows users to relate different kinds of models and model elements to each other and to core security knowledge.

Software security is accomplished by introducing security-related activities into the software development process or by altering existing activities so that security is taken into account. Since the importance of software security has only relatively recently received the recognition it deserves, security is not ingrained into the development processes in common use today. A variety of approaches to software security have been proposed, but they rarely support developers in determining which security activities are appropriate for them and which they should choose to implement. An exception to this rule is the Sustainable Software Security Process (S3P). This paper describes the final step of the S3P, which helps developers estimate the cost of security-related activities and select the combination of security activities that best suits their needs. This is accomplished by applying the Analytic Hierarchy Process and an automated search heuristic, scatter search, to the models created as part of the S3P.